Domain name registrar and website hosting provider Go Daddy is responding to a DNS attack targeting a "small number" of its hosted websites that one security firm said is enabling cybercriminals to spread ransomware.
DNS wasn't hacked none of our systems were hacked. These threat actors are using compromised user credentials.
Scott Gerlach, director of information security operations, Go Daddy
The attack targets the DNS records of sites, adding a subdomain leading to malicious IP addresses. It was detected recently by UK-based security vendor Sophos.
"This enables the attackers to use legitimate-looking URLs in their attacks, which can help to evade security filtering and trick users into thinking the content must be safe," wrote Fraser Howard, a principal virus researcher at SophosLabs. "The legitimate hostname resolves to the legitimate IP address, but the added sub-domains resolve to rogue servers."
Experts say the hack does not appear very sophisticated. The attacker is using stolen credentials to gain access to the victim's Go Daddy account management console where the DNS settings can be made.
The attack is one of a number of common techniques used to dupe people into believing they are on a legitimate site. DNS attacks are common and have been used for years, targeting a variety of configuration weaknesses and protocol errors. The most publicized attack is a DNS Cache Poisoning, a technique that corrupts the Internet server's domain name system table by replacing an Internet address with that of another, rogue address.
Go Daddy: Issue is not a vulnerability
Go Daddy has been dealing with the issue for the last couple of months, said Scott Gerlach, director of information security operations at Go Daddy. The company is removing the malicious DNS entries from targeted sites and resetting customer passwords. In an interview with SearchSecurity.com, Gerlach said about 100 sites have been impacted and urged customers to consider using stronger passwords.
"We confirmed that there is no vulnerability being exploited in DNS systems to make this happen," Gerlach said. "DNS wasn't hacked none of our systems were hacked. These threat actors are using compromised user credentials."
Gerlach said DNS issues are the smallest problem handled by the security team. Denial-of-service attacks are a frequent problem, he said, followed by vulnerabilities in outdated third-party content management system platforms, such as Wordpress and Jumilla. Attackers use vulnerabilities in the platforms and inject malicious code to set up drive-by attack websites, Gerlach said.
Brute-force password attacks and phishing scams are a persistent problem, Gerlach said. Users can reduce the risk of being targeted by this kind of attack by using strong passwords and enabling two-factor authentication. Go Daddy's two-step verification sends a validation code via a text message when trying to log into a hosting account. Two-step verification is available to users in Canada and the U.S. An international roll-out of the service is planned, according to Gerlach.
Go Daddy's incident response team suspects that the source of the attack could be the Cool Exploit Kit, an automated attack toolkit which is responsible for spreading ransomware. It's likely that the affected customers have had their credentials phished or their home machines infected by malware spread by the toolkit, Go Daddy said.
Sophos' Howard said the ransomware appears to be catered to the victim's specific location. Users receive a phony message purportedly from the FBI that the computer's IP address is linked to child pornography. The computer is locked until a ransom is paid.
The Cool Exploit Kit targets a variety of vulnerabilities, including Java errors, and has been seen spreading via drive-by attack websites "The rogue servers are running an exploit kit calling itself 'Cool EK'," Howard wrote. "The Russian origin of the kit is evident from the login page for the admin panel."